EP2568346B1

EP2568346B1 - Robust system control method with short execution deadlines

Info

Publication number: EP2568346B1
Application number: EP11306103.0A
Authority: EP
Inventors: Patrick Andrianiaina; Alexandre Seuret; Daniel Simon
Original assignee: Airbus Operations SAS
Current assignee: Airbus Operations SAS
Priority date: 2011-09-06
Filing date: 2011-09-06
Publication date: 2015-12-30
Anticipated expiration: 2031-09-06
Also published as: US9164796B2; CN102981405B; EP2568346A1; CN102981405A; US20130219402A1

Description

The present invention relates to the control of critical automatic systems. The present invention has applications in robust automatic systems for which stability is a critical issue such as avionics systems.
Critical security products, such as avionics products, are generally developed under strict safety regulations. These safety regulations include determinism and predictability of the systems' timing behaviour. Typically, the overall development approach is based on a separation of control design and implementation concerns.
During the control design, an important issue is to keep constant sampling rates with equidistant samples and no jitter and to have negligible, or fixed and known, delays. Also, according to the real-time scheduling theory, it is mainly focused on dimensioning resources for meeting deadlines (or equivalently, on the schedule analysis for a given resource).
Typically, during operation, each resource of the system is allocated a time slot for responding to a solicitation. If the resource responds too late, the response is not taken into account. For example, considering a flight command, if a command is output by a pilot for acting on the engine power, a time slot is allocated to the engine power control system for applying the command to the engine. If the command is not applied before the end of the time slot, the control system may be considered as out of order and the overall security system of the aircraft may select an auxiliary engine power control system.
In the field of computer science and real-time scheduling, it is a main goal to implement these control tasks considering fixed periods and hard deadlines. These deadlines are usually chosen equal or greater than the "WCET" (acronym for Worst-Case Execution Time). The WCET must be precisely known in order to guarantee a safe operation of the systems.
This assumption has served the separation between control and scheduling designs, but leads to a non optimal use of computing resources (CPU resources) and such an approach faces technical, economical, and industrial challenges.
One of the toughest challenges in the prior art approach is the determination of the WCET needed for dimensioning the systems. The tightness of the result is related to the predictability of the processing unit.
The upcoming generations of processors seem to go apart from the predictability and determinism objectives of the execution time. Processing speeds and performances grow up very fast thanks to accelerating but unpredictable mechanisms of new processors but it becomes very difficult to foresee their effects on the execution time considered in the worst case. Nowadays, even if many attempts are proposed to determine an upper bound for the WCET, both the traditional and current approaches are difficult to apply to modern processor generations and produce values which are pessimistic, that is to say values which would cause the system to operate too conservatively.
Then, to implement the control laws, the hard and costly way of the prior art consists in building a highly deterministic system, from the hardware, operating system and communication protocols sides, so that the actual implementation parameters meet the ideal ones. By essence, implementations purely based on WCET and hard deadlines considerations are conservative, and lead to a non-optimal use of the computing and networking resources and finally lead to electrical supplies, cooling systems and weight oversizing.
Current real-time systems design methods and associated analysis tools do not provide a model flexible enough to fit well with control systems requirements. Also, classic control theory is silent about how to include resource and dependability constraints into the controller, both at the design and implementation stages.
Document EP 1 544 716 A2 discloses an information processing system wherein if it is found that there is no task set in the ready state as a result of watching the number of tasks set in the ready state, the system lowers the power while the current active task controls the power according to the preset WCET of each application slice and if there is any task set in the ready state, the system raises the power and the current active task comes to control the power according to the virtual WCET that is earlier than the WCET of each application slice.
Document DE 10 2004 051967 A1 discloses a method for executing a computer program including multiple program objects according to which errors are detected while the computer program is running and when an error is detected, at least one program object, which has already been sent for execution, is transferred into a defined state and is restarted from there, and subsequent additional program objects are shifted.
In summary, in the prior art control techniques for automatic systems implement hard deadlines for the execution of control tasks and do not admit missing any deadline. Also the WCET approach does not allow an optimal use of the CPU resources since most of the time the task is able to output a result well before the WCET deadline (in other words, it is extremely infrequent that the tasks execution duration reaches the WCET).
Thus, there is a need for optimizing computer resources in critical automatic systems.
According to a first aspect of the invention there is provided a method according to claim 1.
Thus, it is not systematically waited for the worst case execution time (WCET) to elapse before checking whether a task has ended and before taking the following actions. This results in savings in terms of computing power.
Indeed, the WCET is almost always larger than the execution time, in particular for safety-critical applications. Therefore, in the vast majority of the task executions, the task ends well before the end of the WCET. The time between the end of the task and the end of the WCET corresponds to time during which the resources allocated to the execution of the task (such as processors) are not used.
The Inventors have found that this time can be reduced so that the computing resources may be optimized. This time may be used for executing other tasks thereby enhancing the processing efficiency of the system. The system may also be dimensioned with less computer resources thereby saving costs associated to redundant computing resources usually provided in the system as backup resources for the infrequent case wherein a failure of equipment is detected because it has carried out a task with an execution time longer than the WCET. Energy may also be saved in the system and the volume and the mass may also be reduced.
The Inventors found that the execution time slots allocated to the execution of the tasks in automatic systems may be shorter than the WCET while preserving the performances of the systems.
Indeed, as far as closed-loop control systems are considered, more flexible solutions can be implemented by exploiting the basic features of feedback loops, robustness with respect to modelling uncertainties, disturbance rejection and adaptability to various operative conditions. Robustness of feedback controllers also implies some fault-tolerance with respect to deviations from the ideal timing pattern, e.g. equidistant sampling. This feature can be efficiently used to guarantee the end-to-end control quality, i.e. stability and performance level, under weakened real-time constraints, therefore improving the overall computing power average utilization.
The inventors thus provide for a "weakened" (i.e. not as rigid as in the prior art wherein the WCET must be strictly respected) implementation scheme for real-time feedback controllers. The invention reduces the conservatism due to traditional worst-case considerations while preserving the stability and control performance of the system.
Based on a new approach for assessing stability of linear systems with delayed and sampled-data inputs, the invention takes into account the effects of missed deadlines by control tasks and uncertainties in the controlled system (or plant).
The invention "weakens" the real-time constraints and enables to save computing power while preserving the system's stability.
The worst case execution time may be determined during a preliminary statistical analysis if the task execution in the system. For example, the task is launch a given number of time and the execution time is monitored and stored. The condition of execution of the tasks may be varied in order to take into account bad and good conditions of operation of the system (for example simulations of hardware failures or software bugs). The highest execution time measured during the analysis thus corresponds to the worst case execution time.
A task may correspond to an instance of a computer program such as a computing process, for example a set of instructions to be executed by one or several processors for implementing a computing code. The task may also correspond to one or several computing threads.
According to embodiments, the task is launched periodically according to a fixed period of time.
Hence, the savings in terms of computing cycles are made on a regular basis thereby enhancing the overall optimization of the system.
For example, when the execution of the task ends before the allocated time slot, the method further comprises outputting a value calculated based on a current input value.
This may correspond to a regular case wherein the task has to output a command signal to an actuator, based on measurement values from sensors that have triggered the task execution.
According to another example, when the execution of the task does not end before the allocated time slot, the method further comprises outputting a value calculated based on a previous input value.
Thus, the system may still be in operation by holding the current command on the actuators. This is an alternative to the total deactivation of the processors executing the task when an execution time slot deadline is missed.
According to embodiments, the method further comprises stopping the task and launching the task again at the next period of time with a next input value.
The current value is thus ignored in order not to slow down the overall operation of the system.
According to embodiments, the time slot is determined so that a statistical maximum number of consecutive tasks, that do not end before the time slot, is below a performance threshold.
For example, the time slot is determined so that a probability for reaching a maximum number of consecutive tasks that do not end before the time slot is below a performance threshold.
Thus, the system designer may carry out a preliminary analysis of the system during which a trade-off is defined between robustness and resource optimization.
According to embodiments, the system has a feedback loop.
Such systems may be robust enough to easily allow for execution time slots shorter than the WCET. Such systems may also tolerate deadlines to be missed.
For example, the task corresponds to a command of an actuator of the system.
According to a second aspect of the invention, there are provided computer programs and computer program products comprising instructions for implementing a method according to the first aspect of the invention, when loaded and run on computer means of a control unit of a system. Computer readable means storing such computer programs are also provided.
According to a third aspect of the invention there is provided a system comprising a control unit configured to carry out a method according to the first aspect.
According to a fourth aspect of the invention, there is provided an aircraft command system comprising a system according to the third aspect.
According to a fifth aspect of the invention, there is provided an aircraft comprising a system according to the fourth aspect.
The objects according to the second, third, fourth and fifth aspects of the invention provide at least the same advantages as those provided by the method according the first aspect of the invention. The objects according to the third, fourth and fifth aspects of the invention may comprise means for implementing optional features of the method according to the first aspect.
Other features and advantages of the invention will become apparent from the following description of non-limiting exemplary embodiments, with reference to the appended drawings, in which:

Figure 1 is a schematic illustration of a general architecture of an automatic feedback control system;
Figure 2 is a flowchart of steps of a control method according to embodiments;
Figure 3 is a schematic illustration of a procedure for selecting an execution time slot;
Figure 4 is an illustration of an exemplary execution schedule of a control task;
Figure 5 is an illustration of the repartition of the execution times and the associated probability density for a task to be executed by a system;
Figure 6 is an illustration of an execution schedule of a control task according to embodiments;
Figure 7 is an illustration of the selection of a time slot shorter than the WCET;
Figure 8 is a block diagram of a pitch control system of an F-16 aircraft;
Figure 9 is an illustration of an execution schedule of a control task for a case study;
Figures 10-13 , 14a-14b and 15a-15b are graphs showing case study results; and
Figure 16 is a schematic illustration of a system according to embodiments.

The inventors have found that nowadays, the automatic control of systems theory have reached a robustness analysis level of confidence that allows for tolerating missed deadlines. The inventors have also found that the widespread WCET approach is far too cautious in most of the applications, even in safety critical applications. In what follows, there is described a method of controlling an automatic system with a time slot allocated to the execution of control tasks shorter that the WCET and that tolerates deadlines to be missed. It is also shown that stability and safety of the system may be guaranteed.
In what follows, for an n-dimensional state vector x and a non-negative delay h, x_t denotes a function such that x_t(θ) = x(t - θ) for all θ ∈ [-h, 0]. The set of such functions x_t is denoted as K^h. The sets R⁺, R^n×n and Sⁿ denote respectively the set of positive scalar, the set of nxn matrices and the set of symmetric matrices of R^n×n. The superscript 'T' stands for the matrix transposition. The notation P > 0 for P ∈ Sⁿ means that P is positive definite. For any matrix A ∈ R^n×n, the notation 2He{A} > 0 refers to A + A^T> 0. The symbols I and 0 represent the identity and the zero matrices of appropriate dimension.
Figure 1 is a schematic illustration of a general architecture of an automatic feedback control system. This architecture may be implemented in various applications such as avionics, automotive, power plant control etc.
According to this architecture, the system has an interface unit 100 from which commands may be sent by a user or by another system. The interface may thus be a keypad, a touch screen or a communication interface. The interface unit outputs command signals to a control unit 101. The control unit then manages the command signal according to the state of the system and outputs control signals to a unit 102 comprising actuators of the system that perform the actions required by the command signals. A sensor unit 103 performs measurements in the system in order to provide the control unit with information enabling the control unit to determine the current state of the system.
In an avionic application, the actuators may be airbrakes, engines or other elements of an aircraft. The sensor unit may comprise speed sensors for example. The interface may be a cockpit lever.
According to embodiments, the control unit may perform a method according to the general flowchart of Figure 2 .
During a step S200, the control unit receives a command signal. This step may be performed sequentially according to a time period. For example, the control unit monitors a communication port from which it receives command signal from the interface.
Next, during step S201, the control unit launches a task corresponding to the command signal. For example the task is a set of processes implemented by processors that perform calculations based on input values contained in the command signal.
Once the control task is launched, the control unit monitors the execution of the task, during step S202, by setting a timer to a time slot allocated to the execution of the task.
Once the time slot has elapsed, the control unit checks whether the task has been executed during step S203 by checking whether the task has output a result.
If the task has ended before the allocated time slot, then the control unit outputs a control signal during step S204. For example, the control signal feeds output values to an actuator of the system which have been calculated based on the input values received in the command signal.
If the task has not ended before the allocated time slot, then the control unit holds a current control signal during step S205. For example, the control signal feeds the actuator with the output values calculated based on input values received in the previous command signal for which the task has been previously launched.
In such a case, the control unit may detect a failure of an element of the control unit that performed the calculation for the execution of the task, for example a processor. The failure is detected during step S206. For example, when a failure is detected, the element (for example the processor) is deactivated and will not be further used until it has been checked. In such a case, the control unit has primary and auxiliary processors for performing the calculations. The primary processors are used in the normal case and the auxiliary processors are used in case of failure of the primary processors.
The deactivation may be carried out the first time a deadline is missed by the task or a counter may be set for deactivating the processor after a given number of missed deadlines.
After steps S204 and S206, the control unit goes back to step S200 according to the sequence time period as already mentioned above.
The time slot is determined based on a trade-off between the performance of the system and the optimization of the processor resources of the control unit as it will be shown hereafter. It is determined to be shorter than the WCET of the task.
The overall procedure for selecting a time slot value is schematically represented in Figure 3 .
During preliminary procedures, the following elements are determined:

The mathematical model of the system 300. The model is based on the physics of the system.
The command algorithms 301 that are designed for operation of the system.
The WCET estimation 302 based on statistical studies of the system. The system is operated a given number of times and the response time for the tasks is measured for determining the distribution of the response times measured.
The performance and the safety specifications 303 the system has to meet given the applications envisaged.
The certification specifications 304 the system has to comply with, for high level safety applications such as avionics applications.

Then, during a first sequence of analysis 305, the modes of operation are specified. During the sequence, the tasks to be executed by the system during the operation modes are sequenced (step S306). Each task is allocated execution time slots and the time slots are ordered according to the operation of the system.
During the next sequence 307, using the model 300, the system is weakened by shortening the execution time slots until the system reaches instability. The execution time slots allocated to the tasks are reduced below the respective WCETs given by item 302 during a step S308.
The resulting stability and robustness of the system are then evaluated during step S309 using items 300 and 301. In parallel, during step S310, the resulting gain in terms of computing resources for the system is evaluated. For example the number of sequences used for executing each task is determined.
During the next sequence 311, the quality of control resulting from the degradation of the system is analysed. A step S312 is performed during which the loss of quality of control is compared with the computer resource optimization attained. In other words, it is checked whether the gain in terms of computer resources (for example the number of processor cycles saved) is worth the performance and the robustness loss.
The optimization of the usage of the resources is then analyzed during a sequence 313. It is checked whether the trade-off between the quality of control (QoC) and the processing resources usage resulting from the degradation of the system is satisfying according to criteria depending on the application ,the performance and safety specifications the system has to comply with (such information being given by items 303 and 304). A step S314 is performed for verifying the satisfaction of these criteria.
If the trade-off is not satisfactory, then step S308 is performed again and the allocated execution time slots are reduced a little more.
If the trade-off is satisfactory, the final result of the system analysis is validated during sequence 315. A step S316 is performed during which the operation of the system with the allocated execution time slots is tested with non linear models of the system. During this test, the allocated time slots values are confirmed using a representation of the system taking into account saturation and uncertainties issues.
Next, if the system functions satisfactorily, even taking into account these issues, the execution time slots are confirmed for each control task during a step S3017.
In what follows, the WCET (acronym for worst case execution time) issues are presented in details with respect to robustness considerations. The solution proposed by the Inventors is then presented.
Nowadays, many control systems, such as flight control or braking control systems, are considered to be hard real-time, which means that during the design of the systems, it is assumed that control tasks must be executed strictly periodically. Control tasks executions are bounded to fixed time slots, it is not allowed missing a deadline, and jitter is also forbidden (or strictly limited in practice). It is assumed that any deviation from the ideal timing pattern inevitably leads to a failure of the system.
The implementation of such control tasks relies on a safe and conservative evaluation of the WCET of each task, which is used to dimension the time slots allocated for the execution of the control tasks. An exemplary execution schedule of a control task is depicted in Figure 4. For example, the task controls the pitch of an aircraft, based on a pilot's commands and other parameters measured on the aircraft elements.
It is assumed that a given task is executed periodically. A time slot T_slot is allocated to the task for its execution. In the exemplary task of Figure 4 the time slot is first considered to be the WCET. Each time slot is triggered at a period T = s_k - s_{k -1} by the occurrence of measurements x(s_k) at time s_k. The measurement may correspond to outputs from sensors of the aircraft (such as speed or pitch sensors) or data accesses (or reading) on communication ports with a cockpit interface.
The computations performed by the control task take a time Tex which is always smaller than the WCET since the WCET corresponds to the worst execution time. In order to avoid output jitter, the control signal U(x(s_k)) is applied to the actuators of the aircraft (such as the engines, the hydraulic actuators, the ailerons or the sweep wings) at the end of the time slot, i.e. at time s_k + WCET :

for any t such that $s_{k} + WCET \leq t < s_{k + 1} + WCET,$
i.e. $\forall t \in [s_{k} + WCET, s_{k + 1} + WCET [, U = U (x (s_{k})) .$

Therefore it is a periodic control system, with a constant period T, subject to a constant delay T_slot = WCET. This implementation fits well with the hard real-time assumption, and should be applied when the controller is really hard, such as a Finite State Machine which may fail in an unpredicted state if a deadline is missed and a transition is interrupted.
However, as the time slots are allocated based on the WCET of the control tasks, the computations always end before the end of the slot. Therefore a fraction of the computing power is unused, namely the computing time not used between the end of T_ex and the end of WCET. The wasted computing power is all the more important as the WCET is far from the average value of the execution time T_ex observed during the statistical study of the system for determining the WCET. In particular, due to an increasing demand on services, new control systems are more and more based on distributed architectures and shared off-the-shelf computing devices. However, high computing power are often based on the usage of multiple levels of cache memory and pipe-lines, lowering the determinism of the processors and increasing the difficulty of searching for the program's WCET, which are in fact approached by increasingly conservative upper bounds.
Figure 5 is an illustration of the repartition of the execution times and the associated probability density determined during a preliminary statistical study of the system. In Figure 5, the execution times concentrate in majority around 40 µs and spread out to other values with a lower probability density. Thus, it appears that the worst case execution time is an extremely infrequent event since its probability is way below the probability of the average execution time. Therefore the amount of wasted computing power is expected to increase with the new generations of control systems, leading to costly over-sizing of embedded computers, power supplies and cooling systems.
That is why the Inventors found it worth to discuss and revisit the widespread "hard real-time" assumption and to examine how it can be weakened, in particular for feedback control systems.
The design of critical systems must satisfy requirements, specifications and certification levels. Robustness is (and must be) a general concern that grows with system complexity. For instance, it is known that small task core execution time modifications in systems with complex performance dependencies can have drastic non-intuitive effects on the overall system performance, and might lead to constraint violations. It is also known that robustness evaluation using simulation is a tedious tasks and practically impossible for the reason that simulation models do not support many of the possible property changes (for instance, increased processor execution times or modified communication volumes).
Robustness in control systems usually deals with the plant's parameters uncertainties, but in the present case the insensitivity or adaptability with respect to timing deviations from the theoretical pattern, such as jitter or missed deadlines, is also investigated. For SISO (single input single output) linear systems robustness can be quantified using phase margins, delay margins and module margins. It appears that a phase margin implies a delay margin (i.e. the maximum and not modelled constant extra delay that can be tolerated before reaching an instability state) and certainly a jitter margin, which is more difficult to quantify but which can be experimentally shown. A feedback control system can be even robust enough to tolerate missed samples, for example in case selective data dropping is applied to lighten the computing and networking burden while preserving closed-loop stability.
In fact, a feedback control system which is robust with respect to the plants parameters uncertainties is also robust, to some extent, with respect to timing deviations. Hence, a feedback control system is not as hard as it is often considered in the literature, but should be better considered as weakly hard, that is to say able to tolerate a predefined amount of timing deviations without leaving its specified performance domain.
Therefore, in order to improve the average efficiency of automatic systems, in particular for embedded computers, while preserving the control stability and performance, and relying on the robustness of feedback control laws, there is proposed a control method that weakens the usual real-time constraints as illustrated in Figure 6 .
Figure 6 takes the same notations as Figure 4. The measurements occur at a fixed period T, and their occurrences trigger the control tasks. According to the invention, the time slot allocated to a given task is shorter that the WCET, i.e. T_slot < WCET.
Figure 7 is a schematic illustration of the density of probability of the execution times for the system. The time slot value is selected to be shorter than the WCET. A time slot which is close to the WCET induces a small probability of deadlines misses, small disturbances in the controller but also small gains in the computer utilization. Conversely a time slot close to the BCET induces frequent deadlines misses, larger degradations of the control performance but large improvements in the CPU utilization. Moreover it is likely that shortening the time slot increases the control performance and robustness, therefore balancing the degradations induced by the deadlines misses.
Hence, for a given plant's model (including parametric uncertainties), a given control law, and a given execution time probability function, the proposed method aims at finding an adequate value of the time slot which meets a desired trade-off between the CPU utilization and the control performance.
The control signals are sent to the actuators at the end of the time slots, i.e. U(x(s_k)) is sent at time s_k + T_slot, and the delay is equal to T_slot $\forall t \in [s_{k} + T_{slot}, s_{k + 1} + T_{slot} [, U = U (x (s_{k})) .$
It may happen that a control task deadline is occasionally missed. In such a case, it is proposed to stop the current computation, hold the current value of the control signal U(x(s_k)) for the next period and start a new computation with the next sensor value. The control signal is thus hold for one extra period, i.e. if the deadline is missed at time s_k + T_slot: $\forall t \in [s_{k} + T_{slot}, s_{k + 2} + T_{slot} [, U = U (x (s_{k}))$

and for N consecutive missed deadlines and data loss: $\forall t \in [s_{k} + T_{slot}, s_{k + N} + T_{slot} [, U = U (x (s_{k})) .$
In other words a newly computed control signal is sent to the actuators at non-equidistant instants t_k' only if the control computation has been successfully carried out: $t_{kʹ} = s_{k} + T_{slot} if T_{ex} \leq T_{slot}$

where k' is a positive integer representing the number of input values which have been implemented before s_k = kT. Then, the control input can be asynchronous since the difference between two sampling instant t_k'+1 - t_k' is time-varying but bounded by T and NT. Hence, t_k'+1 - t_k'= αT, where the integer α ∈ [1, ..., N] and the asynchronous sampling is determined by the values of T and N.
It is likely that a robust feedback control system can keep stability despite occasional data loss, at the price of a decreased performance and robustness. Therefore, for a given linear time-invariant (LTI) plant, a given control law, a known distribution of execution times of the controller and the weakened real-time constraint, problems to be solved can be informally stated as :

find N, the maximum value of consecutive data losses due to missed deadlines before losing the closed-loop stability;
find an adequate value of T_slot to fulfil a given trade-off between the control performance and the computing efficiency;
evaluate the weakly-hard closed-loop robustness with respect to the plant's parameters uncertainties.

In what follows, stability results for systems under uncertainties and input delays are discussed.
A linearized system representing the pitch control of a plane with a sampled and delayed input is considered: $\dot{x} (t) = (A + Δ_{μ} A (t)) x (t) + (B + Δ_{μ} B (t)) u (t),$

x ∈ Rⁿ and u ∈ R^m respectively representing the state variable and the input vector and ẋ(t) representing the derivative of x over time. The matrices A and B are constant and of appropriate dimension. The matrices Δ_µA and Δ_µB represent the uncertainties of the model which can be constant or time varying. The (time-varying) uncertainties are given in a polytopic representation: $Δ_{μ} A (t) = μ \sum_{i = l}^{M} λ_{i} (t) A_{i},$
$Δ_{μ} B (t) = μ \sum_{i = l}^{M} λ_{i} (t) B_{i},$

where M corresponds to the number of vertices. The matrices A_i, B_i and C_i are constant and of appropriate dimension. The scalar µ ∈ R characterizes the size of the uncertainties. Note that when µ = 0, no uncertainty parameter is disturbing the system. However the greater the value of µ, the greater the disturbances. The functions λ_i(.) are weighted scalar functions which follow a convexity property, i.e. for all i = 1, .., M and for all t ≥ 0: $λ_{i} (t) \geq 0, \sum_{i = 1}^{M} λ_{i} (t) = 1.$
It is assumed that the control computation induces a constant transmission delay T_slot and a sampling of the transmitted signal. As mentioned above, the control law is a piecewise-constant static state-feedback of the form: $u (t) = Kx (t_{kʹ} - T_{slot}), t_{kʹ} \leq t < t_{kʹ + 1},$

where the gain K in R^n×m is given.
These instants t_k' represent the instants where the control input is updated. The closed loop system is thus rewritten as $\forall t \in [t_{kʹ}, t_{kʹ + 1}], \dot{x} (t) = \overline{A} (t) x (t) + \overline{B} (t) Kx (t_{kʹ} - T_{slot})$

where A (t) = A+Δ_µ A(t) and B (t) = B + Δ_µ B(t). Several authors investigated in guaranteeing the stability of such systems. A continuous-time approach to model sampled-data systems allowing assimilating sampling effects as the ones of a particular delay or aggregating delay formulation has been investigated. They develop stability criteria which take into account the delay δ. However they did not consider the different natures of the transmission and the sampling delay. More especially the additional characteristic of sampled delay which is δ = 1 has not been included and thus leads to conservative conditions.
When µ is zero, the discrete-time modelling of such systems is obtained by integrating the differential equation (2) over the interval [t _k', t_k' + T], for any τ in [0, T ], $\begin{array}{l} x (t_{kʹ} + τ) = A (τ) x (t_{kʹ}) + B (τ) Kx (t_{kʹ} - T_{slot}), \\ \tilde{A} (τ) = e^{Aτ}, \tilde{B} (τ) = \int_{0}^{τ} e^{A (τ - θ)} dθB . \end{array}$
This equality leads to the introduction of a new notation. Define, for all integer k', the function $χ_{kʹ}^{T_{slot}} : [0, NT] \times [- T_{slot}, 0] \to R^{n}$
such that for all τ in [0, NT] and all θ in [-T_slot ,0], χ _k' (τ,θ)=x(t_k' +τ+θ). The set $K_{NT}^{T_{slot}}$
represents the set of functions defined by $χ_{k}^{T_{slot}}$
as the set of continuous functions from [0, NT]×[-T_slot , 0] to Rⁿ.
However, the same discretization method is not valid when the system is subject to time-varying uncertainties. Thus discrete-time analysis of (3) leads to unavoidable difficulties. Thus there is a need for a novel stability conditions to cope with this type of discrete-time systems.
The stability of systems subject to varying sampling, constant delay and time-varying uncertainties has thus to be assessed. The main idea is to consider separately the two types of delays. To do so, the stability conditions are based on the discrete-time Lyapunov Theorem but expressed with the continuous-time model of the system. It leads to less conservative necessary conditions.
In what follows, there is provided new stability conditions for systems submitted to uncertainties, delays and varying sampling.
Since the problem of sampled-data systems is at the boundary of the discrete and the continuous-time theories, the difference between the discrete and continuous-time Lyapunov Theorems is presented. In particular, there is presented a new stability criterion for systems, taken in a continuous-time model, using the discrete-time Lyapunov Theorem.
Theorem 1: Consider N , a positive integer. Let V : K^Tslot → R⁺ be a differentiable functional, for which there exist real numbers 0 < µ₁< µ₂ and p > 0 such that $\forall (x_{t}) \in K, μ_{1} {|x_{t} (0)|}^{p} \leq V (x_{t}) \leq μ_{2} {|x_{t}|}^{p} .$
The two following statements are equivalent.

(i) ∀k' ≥ 0, ΔV(k) = V(x_{t _k'}+1) - V(x_{t _k'}) < 0;
(ii) There exists a continuous functional $ν : R \times K_{T}^{T_{slot}} \to R,$
differentiable over the sampling intervals of the form [t _k',t _k'+1[ which satisfies, for all k ≥ 0 and Υ ∈ [T, NT] $ν (ϒ, χ_{k}^{T_{slol}}) = ν (0, χ_{k}^{T_{slol}}) .$

and such that, for all k >0 and for all rin [0, Υ], the following inequality holds $\overset{•}{W} (τ, χ_{k}^{T_{slol}}) < 0,$

where τ = τ(t) = t - t'_k and $\overset{•}{W} (τ, χ_{k}^{T_{slol}}) = \frac{ⅆ}{ⅆ t} \{[V (x_{t}) + ν (τ, χ_{k}^{T_{slol}})]\} .$

Moreover, if one of these two statements is satisfied, the solutions of system (2) are asymptotically stable.
The main idea remains in showing the equivalence between the conditions on the decreasing increment V(k) = V(x_{t k+1}) - V(x _tk ) < 0 and the existence of a continuous functional which coincides with the Lyapunov function at the sampling instants and which is strictly decreasing within all sampling intervals. The main contribution of Theorem 1 is that the introduction of the functional W allows the Lyapunov-Krasovskii functional V to be locally increasing. For the sake of simplicity, the notation τ, stand for the time-varying sampling delay τ(t).
Here, a study on the asymptotic stability of the solutions of sampled-data systems presented in (1) with µ=0 is provided. The objective is to design a functional which satisfies the conditions proposed in Theorem 1.

Theorem 2: Consider an integer N and two non negative scalars T_slot and T. Assume that there exist Q > 0, R₁ > 0 and R₂ > 0 ∈ Sⁿ, P > 0, U > 0 and S₁ ∈ S²ⁿ and three matrices S₂ and X ∈ R^2n×2n, Y ∈ R^5n×2n that satisfy for j=1,2:

Ψ_{1} (A, B) = Π_{1} (T_{slot}) + T_{j} Π_{2} + T_{j} Π_{3} < 0,

Ψ_{2} (A, B) = [\begin{matrix} Π_{1} (T_{slot}) - T_{j} Π_{3} & T_{j} Y \\ T_{j} Y^{T} & - T_{j} U \end{matrix}] < 0,

where T ₁ = T, T ₂ = NT and

\begin{array}{l} Π_{1} (T_{slot}) = 2 He \{N_{1}^{T} {PN}_{0}\} + M_{1}^{T} {QM}_{1} - M_{2}^{T} {QM}_{2} \\ + M_{0}^{T} (R_{1} + T_{slot} R_{2}) M_{0} - M_{2}^{T} R_{2} / T_{slot} M_{12} \\ - M_{5}^{T} R_{1} M_{5} - M_{12}^{T} S_{1} N_{12} - 2 He \{{YN}_{12}\} \\ - 2 He \{N_{2}^{T} S_{2} N_{12}\} \end{array}

Π_{2} = N_{0}^{T} U N_{0} + 2 He \{N_{0}^{T} (S_{1} N_{12} + S_{2}^{T} N_{2})\},

Π_{3} = N_{2}^{T} X N_{2}

and

M ₀ = [A 0 0 BK 0],	M ₁ = [I 0 0 0 0],
M ₂ = [0 I 0 0 0],	M ₃ = [0 0 I 0 0],
M ₄ = [0 0 0 I 0],	M ₅ = [0 0 0 0 I]
$N_{1} = {[M_{1}^{T} M_{2}^{T}]}^{T},$	$N_{0} = {[M_{0}^{T} M_{5}^{T}]}^{T},$
$N_{2} = {[M_{3}^{T} M_{4}^{T}]}^{T},$	M ₁₂ = M ₁ - M ₂,
N ₁₂ = N ₁ - N ₂

System (2) is thus asymptotically stable for any asynchronous sampling defined by (T, N) and the delay T_slot.
Proof: consider the functional: $\begin{array}{l} V (t, x_{t}, {\dot{x}}_{t}) = y^{T} (t) Py (t) + \int_{t - T_{slot}}^{t} x^{T} (s) Qx (s) ds \\ + \int_{t - T_{slot}}^{t} {\dot{x}}^{T} (s) (R_{1} + (T_{slot} - t + s) R_{2}) \dot{x} (s) ds \end{array}$
where y(t) = [x^T (t) x^T (t -T_slot )] ^T . Note that V corresponds to a classical Lyapunov-Krasovskii functional type to cope with the stability of constant time-delay systems. The objective is here to ensure that the variation of V between two successive sampling instants is negative. This means that $Δ V = V (t_{kʹ + 1}, x_{t_{kʹ + 1}}, {\dot{x}}_{t_{kʹ + 1}}) - V (t_{k}^{ʹ}, x_{t_{k}^{ʹ}}, {\dot{x}}_{t_{k}^{ʹ}})$
is definite negative for all positive integer k'. For any integer k', the sampling length is denoted Υ_k' = t_k'+1 - t_k' Consider the additional functional $\begin{matrix} V (t, χ_{k}^{T_{slot}}) = (ϒ_{kʹ} - τ) ζ_{0}^{T} (t) [S] [_{1} ζ_{0} (t) + 2 S_{2} y (t_{k})] \\ + (ϒ_{kʹ} - τ) \int_{t_{k}}^{t} {\dot{y}}^{T} (s) U \dot{y} (s) ds \\ + (ϒ_{kʹ} - τ) τ y^{T} (t_{k}) Xy (t_{k}), \end{matrix}$

where ζ₀(t) = y(t) - y(t_k' ), ξ(s) = [y^T (s) y^T (t_k' ) ẋ^T (s -T_slot )] ^T .
Note that the conditions from Theorem 2 include the robust stability properties with respect to the input delay T_slot. This means that (7) and (8) require the system to be stable at least for the transmission delay T_slot and T = T_i.
Now we consider µ#0. It is intended to extend the previous theorem to the case of time-varying uncertainties. In the previous stability theorem, the conditions depend almost linearly on the matrices defining the continuous-time model. Then the following corollary presents an extension of the previous theorem to uncertain and time-varying model.
Corollary 1: Consider an integer N and there non negative scalars T_slot, T and µ. Assume that there exist Q > 0, R₁> 0 and R₂> 0 ∈ Sⁿ, P > 0, U > 0 and S₁ ∈ S²ⁿ and three matrices S₂ and X_i∈ R^2n×2n, Y ∈ R^5n×2n that that satisfy, for i=1,...,M and j = 1, 2 $Ψ_{1 i} (A_{i}, B_{i}) = Π_{1 i} (T_{slot}) + T_{j} Π_{2 i} + T_{j} Π_{3 i} < 0,$
$Ψ_{2 i} (A_{i}, B_{i}) = [\begin{matrix} Π_{1 i} (T_{slot}) - T_{j} Π_{3 i} & T_{j} Y_{i} \\ T_{j} Y^{T} & - T_{j} U \end{matrix}] < 0,$

where $\begin{array}{l} Π_{1 i} (T_{slot}) = 2 He \{N_{1}^{T} {PN}_{0 i}\} + M_{1}^{T} {QM}_{1} - M_{2}^{T} {QM}_{2} \\ + M_{0 i}^{T} (R_{1} + T_{slot} R_{2}) M_{0 i} - M_{2}^{T} R_{2} / T_{slot} M_{12} \\ - M_{5}^{T} R_{1} M_{5} - M_{12}^{T} S_{1} N_{12} - 2 He \{Y_{i} N_{12}\} \\ - 2 He \{N_{2}^{T} S_{2} N_{12}\} \end{array}$
$Π_{2 i} = N_{0 i}^{T} U N_{0 i} + 2 He \{N\} \{_{0 i}^{T} (S) (_{1} N_{12} + S_{2}^{T} N_{2})\},$
$Π_{3 i} = N_{2}^{T} X_{i} N_{2}$

and

M _0i = [A_i 0 0 B_iK 0], $N_{0 i} = {[M_{0 i}^{T} M_{5}^{T}]}^{T};$

A_i = A + µA_i B_i = B + µB_i
System (2) is thus asymptotically stable for the periodic sampling defined by T and the delay T_slot.
Proof: Consider the stability conditions from Theorem 2. By noting that $\begin{array}{l} M_{0} (t) = [\overline{A} (t) 0 0 \overline{B} (t) K 0] = \sum_{i = 1}^{M} λ_{i} (t) M_{0 i} \\ N_{0} (t) = ⌈ M_{0}^{T} (t) M_{5}^{T} ⌉ = \sum_{i = 1}^{M} λ_{i} (t) N_{0 i} \end{array}$

and by introducing the matrices variables $Y (t) = \sum_{i - 1}^{M} λ_{i} (t) Y_{i}$
$X (t) = \sum_{i - 1}^{M} λ_{i} (t) X_{i}$

most of the terms defined in Ψ₁( A (t), B (t)) and Ψ₂( A (t), B (t) are linear with respect to the time-varying terms. However the terms $M_{0}^{T} (t) (R_{1} + T_{slot} R_{2}) M_{0} (t)$
and $N_{0}^{T} (t) U N_{0} (t)$
are still not linear with respect to the matrices M ₀(t) and N ₀(t). However the Schur complement allows obtaining expressions which become linear with respect to these two time-varying matrices. Then this proves that $Ψ_{1} (\overline{A} (t), \overline{B} (t)) = \sum_{i - 1}^{M} λ_{i} (t) Ψ_{1 i} (A_{i}, B_{i}),$
$Ψ_{2} (\overline{A} (t), \overline{B} (t)) = \sum_{i - 1}^{M} λ_{i} (t) Ψ_{2 i} (A_{i}, B_{i})$
Then if all the linear matrix inequalities (LMI) ψ_1i(A_i,B_i) and ψ_2i(A_i,B_i) are satisfied for i = 1, ... , M , then the conditions of Theorem 2 are also verified for the time-varying system (1).
In what follows, the methodology described above is applied to an exemplary study of the pitch control of an F-16 aircraft.
The case study applies the application of the robustness approach described above to a weakened scheduling scheme for the pitch controller of an aircraft. In the present example, we only consider the so-called "short period approximation" linearized model of an aircraft around the pitch axis. This model may be given by a state equation: ${\begin{matrix} E \dot{x} & = Fx + Gu \\ y & = Hx \end{matrix}$
The state vector is x = [α θ q] and the input vector is u = δE where

α is the angle of attack
θ is the pitch angle
q is the pitch rate.
δ _E is the elevator deflection

The transition, control and observation matrices are respectively given by: $\begin{array}{l} E = [\begin{matrix} V_{T} - Z_{\dot{α}} & 0 & 0 \\ 0 & 1 & 0 \\ - M_{\dot{α}} & 0 & 0 \end{matrix}] \\ F = [\begin{matrix} Z_{α} & - g_{0}^{ʹ} \sin γ_{e} & V_{T} + Z_{q} \\ 0 & 0 & 1 \\ M_{α} & 0 & M_{q} \end{matrix}] \\ G = [\begin{matrix} Z_{δ_{e}} \\ 0 \\ M_{δ_{e}} \end{matrix}], H = [\begin{matrix} 0 & 0 & 0 & 180 / π \\ 0 & 180 / π & 0 & 0 \end{matrix}] \end{array}$

where matrix E is always non-singular in normal flight conditions. The model parameters $(V_{T}, Z_{α}, Z_{\begin{matrix} ¿ \\ α \end{matrix}}, g_{0}^{ʹ}, M_{α}, M_{\begin{matrix} ¿ \\ α \end{matrix}}, γ_{e}, Z_{q}, M_{q}, Z_{δ_{e}}, M_{δ_{e}})$
are the dimensionless derivatives of the standard aircraft which may be found in B. L. Stevens and F. L. Lewis, Aircraft Control and Simulation. Wiley-Interscience, 2003 .
Figure 8 is a block-diagram of the pitch control system. A reference signal r is fed to the system and is compared by a comparator 800 with a signal q output by a module 801 representing the model of the F-16 aircraft. The output of the comparator 800 is then fed to an integrator unit 802 the output of which β is fed to a gain (k₁) unit 803. Indeed, state-of-the-art pitch control design takes into account the elevator's dynamics, and an integrator is added in the feed-forward channel to ensure a zero steady-state error.
The output of the gain unit 803 if fed along with a signal b described hereafter to a summing and inverting unit 804. The output of unit 804 is signal u and is fed to the unit 805 representing the actuators of the aircraft with a first order transfer function. The output δ_E of the unit 805 is fed to unit 801.
Unit 801 outputs signals q and α. The noisy angle of attack α is fed to a low-pass filter unit 806 the output of which is fed to a gain (k_α) unit 807. Signal q is fed to a gain (kq) unit 808. The output signals from the gain units 807 and 808 are fed to a summing unit 809 the output of which is signal b.
The full controlled plant has an augmented state vector given by [δ q δ _E α _F β] where α _F is the filtered measure of α and β is the output of the integrator. We can then obtain standard state space equation of the form: ${\begin{cases} \dot{x} = Ax + Bu \\ y = Cx \end{cases}$

where
A = E ^-1 F and B = E ^-1 G. The augmented system has the structure and dimensions instantiated, e.g., in system (16).

In our case study, we have considered the F-16 aircraft with the flight conditions given in table I below:

Variable	Nominal	x_cg=0.3 c	x_cg=0.38 c
V_T (ft/s)	502.0	502.0	502.0
α (rad)	0.03691	0.03936	0.03544
θ (rad)	0.03936	0.03936	0.03544
q (rad/s)	0	0	0
Thtl (0-1)	0.1385	0.1485	0.1325
δ_E (deg)	-0.7588	-1.931	-0.05590

The nominal condition is: h = 0ft, x_cg = 0.35 c , θ̇, h being the altitude, x_cg is the centre of gravity location in fraction of C which is the mean aerodynamic chord of the aircraft. Using the nominal condition and a flight at sea level, we obtain the following numerical values for the pitch model: $A = [\begin{matrix} - 1.01887 & 0.90506 & - 0.00215 & 0 & 0 \\ 0.82225 & 0 & - 0.17555 & 0 & 0 \\ 0 & 0 & - 20.0 & 0 & 0 \\ 10.0 & 0 & 0 & - 10 & 0 \\ 0 & - 57.2958 & 0 & 0 & 0 \end{matrix}]$
$B = [\begin{matrix} 0 \\ 0 \\ 20.2 \\ 0 \\ 0 \end{matrix}], C = [\begin{matrix} 0 & 0 & 0 & 57.2958 & 0 \\ 0 & 57.2958 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 & 1 \end{matrix}] .$
An output feedback controller u = Ky = -k _αα _F - k_qq - k_i β is designed using standard pole placement giving K = [-0.04238; -0.4098; 0.8426]. The control period is chosen as T=0.08 sec, and the nominal computing slot is chosen as WCET=0.02 sec (considering that the CPU is shared by four control tasks). The matrices A_i and B_i, elements of the convex combination Δ_µA(t) and Δ_µB(t) are defined in a simple 2 vertices polytope as for i = 1, 2 A_i = (-1) ⁱA and B_i = (-1) ⁱB.
Starting from the initial 'hard real-time' pattern described in Figure 4, where a WCET time slot is allocated to the control task with a period T, two weakened scheduling scheme, illustrated in Figure 9, have been considered.
In the first case (Case 1), a time slot T_slot < WCET is allocated to the control task, but the system's period T keeps its initial value of Figure 4. In that case some extra time remains to compute other activities between the end of T_slot and the new control activation, i.e. T_{others_new} = T_others + (WCET - T_slot). Some control improvement results from the reduction of the latency from WCET to T_slot.
In the second case (Case 2), a time slot T_slot < WCET is allocated to the control task, but the system's period is now also reduced by the same value, i.e. T_new = T - (WCET - T_slot), while the time remaining for computing other activities remains T_others as in the initial scheme of Figure 4. In that case control improvement results from both the latency and sampling period reduction.
The stability conditions of Theorem 2 are used to find the relations between the computing slot value (given by the ratio $ϵ = \frac{T_{slot}}{WCET}$
and the maximum number of consecutive missed deadlines before instability N, for the two cases and for several values of the uncertainty multiplier µ. As already discussed above, the uncertainty multiplier models the uncertainties concerning the parameters of the system. For example, during the flight, the mass, the speed of the aircraft cannot be measured ideally. Therefore, an uncertainty parameter is introduced to reflect the uncontrolled phenomena acting on the parameters. This parameter may also take into account the non-linear behaviour of the real system which has not been introduced during the model linearization.
The results of the analysis of Case 1, illustrated in Figure 10 , show that the tolerance of the feedback controller with respect to missed deadlines, measured by N, increases when T_slot is decreased (therefore also decreasing the systematic latency). It also shows that increasingly uncertain systems, with growing values of µ (referenced as µ₁, µ₂ and µ₃), are less tolerant with respect to missed deadlines.
The results for Case 2 are illustrated in Figure 11 . The number N of sustainable consecutive missed deadlines is even improved, as the reduction of T_slot induces a decreasing in both the delay and the sampling interval.
Nevertheless, decreasing T_slot increases the risk of missing deadlines. For a given distribution of execution times of the control task, the probability of missing deadlines decreases from 1 to 0 as the scheduling factor $ϵ = \frac{T_{slot}}{WCET}$
decreases from 1 (T_slot=WCET) to a minimum value where T_slot = BCET (Best Case Execution Time), as represented by the bold curve in Figures 12 and 13 respectively corresponding to the results for Case 1 and Case 2. Assuming that the execution times of the task instances are independent, the probability of reaching the maximum tolerable number of consecutive missed deadlines are given in the same Figures 12 and 13 for the two scheduling cases and for different values of the uncertainty µ. Hence, for a given scheduling scheme and uncertainty assumption, it is possible to compute the $ϵ = \frac{T_{slot}}{WCET}$
scheduling factor corresponding at a given failure probability, e.g. requested by some certification process.
It is thus possible to refine the execution time and let the system go at a given pace as long as the system's stability is mathematically guaranteed (and also numerically using the LMI's based on the theorems for large-order systems). The system analysis allows evaluating the probability of keeping the system stable by evaluating the probability of reaching the maximum tolerable number of consecutive missed deadlines for each value of ε. The system designer may thus determine a trade-off between Quality of Control, level of fault tolerance and the system's safety.
Figures 14a and 14b are logarithmic views of the graph in Figure 12 (Case 1) showing the evolution of the probability for µ1 and µ2 (Figure 14a) and for µ3 (Figure 14b). Figures 15a and 15b are logarithmic views of the graph in Figure 13 (Case 2) showing the evolution of the probability for µ1 and µ2 (Figure 15a) and for µ3 (Figure 15b). The trade-off is likely to be found when ε is larger than 0.5, since for ε below 0.5 P(N_max) is high. Indeed, the curves in figures 14a, 14b and 15a, 15b show that probability of reaching the maximum tolerable number of consecutive missed deadlines is in the range of 10^-9. For example, when µ = µ₂ = 0.25 and ε = 0.857 , P(N_max) = 2.36.10^-9.
The Inventors have thus shown that the hard real-time assumption upon which most critical control systems are implemented in the prior art can be revisited based on robustness considerations. They have provided new stability conditions for feedback linear systems submitted to delays, varying sampling and uncertainties.
When implemented under a weakened scheduling scheme, it happens that a control task misses its deadline. In that case the computation is aborted and the preceding control signal is hold for an extra control period, therefore leading to a varying sampling system.
In this framework the new stability condition allows for computing the maximum number of consecutive missed deadlines which can be tolerated by an uncertain system while keeping stability, considering a given scheduling factor.
The Inventors have thus provided a basis for system designers for design and implementation rules for finding cost effective trade-offs between embedded computing power, control performance, control robustness and overall fault-tolerance.
A computer program according to embodiments may be designed based on the flowchart of Figure 2 and the present description.
Figure 16 is a schematic illustration of a system 160 according to embodiments. The system comprises a RAM (Random Access Memory) unit 162 for storing processing data used for computations for implementing a method according to embodiments. The system may also comprise a ROM (Read Only Memory) unit 163 for storing a computer program according to an embodiment. The system further comprises a control unit 161. The control unit may comprise a processor configured for implementing a method according to an embodiment, for example by executing instructions of a computer program according to embodiments. The computer program may be stored in and loaded from the ROM unit 163. The control unit may also comprise other processors dedicated to the execution of tasks of the system. Some of the processor may be main processors used during the normal execution of the tasks and some of the processors may be auxiliary processors used in case of a failure of one or several main processors.
The system also comprises an interface unit 164 for receiving commands from a user (such as a pilot) or from a command system (such as a cockpit lever). The system further comprises a sensing unit 165 with a set of sensors (such as a speed sensor or a pitch sensor) for performing measurements used for the control of the system by the control unit and an actuating unit 166 comprising actuators (such as ailerons or engines) for performing actions controlled by the control unit.
While the invention has been illustrated and described in detail in the drawings and foregoing description, such illustration and description are to be considered illustrative or exemplary and not restrictive, the invention being not restricted to the disclosed embodiment. Other variations to the disclosed embodiment can be understood and effected by those skilled in the art in practicing the claimed invention, from a study of the drawings, the disclosure and the appended claims.
In particular, the present invention is not limited to avionics systems. The present invention may have other applications in control systems for a power plant, a chemical reactor, for an automobile or in other fields.
In the claims, the word "comprising" does not exclude other elements or steps, and the indefinite article "a" or "an" does not exclude a plurality. A single processor or other unit may fulfil the functions of several items recited in the claims. The mere fact that different features are recited in mutually different dependent claims does not indicate that a combination of these features cannot be advantageously used. Any reference signs in the claims should not be construed as limiting the scope of the invention.

Claims

A method of controlling a system comprising the following steps:
- launching (S201) a task, said task being associated with a worst case execution time; and

- monitoring (S202, S203) the end of the task after a time slot allocated to the execution of the task;
wherein said time slot is shorter than said worst case execution time,
wherein said task is launched periodically according to a fixed period of time,

wherein when the execution of the task does not end before the allocated time slot, the method further comprises outputting (S205) a value calculated based on a previous input value, and
wherein the time slot is determined so that a statistical maximum number of consecutive tasks that do not end before the time slot is below a performance threshold.
A method according to claim 1, wherein when the execution of the task ends before the allocated time slot, the method further comprises outputting (S204) a value calculated based on a current input value.
A method according to claim 1, further comprising stopping the task and launching the task again at the next period of time with a next input value.
A method according to any one of the preceding claims, wherein the system has a feedback loop.
A method according to any one of the preceding claims, wherein the task corresponds to an instance of a computer program.
A method according to any one of the preceding claims, wherein the task corresponds to a command of an actuator of the system.
A computer program comprising instructions for implementing a method according to any one of the preceding claims when the program is loaded and executed by a programmable apparatus.
A system (160) comprising a control unit (161) configured to carry out a method according to any one of claims 1 to 6.
Aircraft command system comprising a system according to claim 8.
Aircraft comprising a system according to any one of claims 8 and 9.